diff options
| author |   Damien Ciabrini <dciabrin@redhat.com> | 2017-09-27 14:35:38 +0200 |
|---|---|---|
| committer | Damien Ciabrini <dciabrin@redhat.com> | 2017-11-08 12:53:16 +0000 |
| commit | 4ccebee06614d2791b2cb82acfa8b5244e8b3942 (patch) | |
| tree | b63efe36d2b23ae853eb23551c848724eadb87de | |
| parent | dd17e35242b027c3a5ebd23222d0abcac706806d (diff) | |
Galera: add support for encrypted SST
When internal TLS is enabled, generate a galera config that enable
encryption of SST rsync traffic.
The configuration relies on a new sst script wsrep_sst_rsync_tunnel,
which encapsulates rsync traffic in a socat-based encrypted tunnel.
Change-Id: I1d6ee8febb596b3ab9dcde3a85a028ee99b2798c
Depends-On: Ia857350ac451fc1bda6659d85019962d3a9d5617
Closes-Bug: #1719885
(cherry picked from commit 9fb617eaea607bc3615edeaf4608fded55045ebd)
| -rw-r--r-- | manifests/profile/pacemaker/database/mysql.pp | 42 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/database/mysql_bundle.pp | 42 |
2 files changed, 80 insertions, 4 deletions
diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp index b9f2a65..14faa23 100644 --- a/manifests/profile/pacemaker/database/mysql.pp +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -59,6 +59,20 @@ # one step. # Defaults to hiera('innodb_flush_log_at_trx_commit', '1') # +# [*sst_tls_cipher*] +# (Optional) When enable_internal_tls is true, defines the list of +# ciphers that the socat may use to tunnel SST connections. +# Defaults to '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES' +# +# [*sst_tls_options*] +# (Optional) When enable_internal_tls is true, defines additional +# parameters to be passed to socat for tunneling SST connections. +# Defaults to undef +# +# [*ipv6*] +# (Optional) Whether to deploy MySQL on IPv6 network. +# Defaults to str2bool(hiera('mysql_ipv6', false)) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. @@ -76,6 +90,9 @@ class tripleo::profile::pacemaker::database::mysql ( $enable_internal_tls = hiera('enable_internal_tls', false), $gmcast_listen_addr = hiera('mysql_bind_host'), $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'), + $sst_tls_cipher = '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', + $sst_tls_options = undef, + $ipv6 = str2bool(hiera('mysql_ipv6', false)), $step = Integer(hiera('step')), $pcs_tries = hiera('pcs_tries', 20), ) { @@ -105,17 +122,36 @@ class tripleo::profile::pacemaker::database::mysql ( if $enable_internal_tls { $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] + $sst_tls = { + 'tcert' => $tls_certfile, + 'tkey' => $tls_keyfile, + } if $ca_file { $tls_ca_options = "socket.ssl_ca=${ca_file}" + $sst_tca = { 'tca' => $ca_file } } else { $tls_ca_options = '' + $sst_tca = {} } $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + $wsrep_sst_method = 'rsync_tunnel' + if $ipv6 { + $sst_ipv6 = 'pf=ip6' + } else { + $sst_ipv6 = undef + } + $all_sst_options = ["cipher=${sst_tls_cipher}", $sst_tls_options, $sst_ipv6] + $sst_sockopt = { + 'sockopt' => join(delete_undef_values($all_sst_options), ',') + } + $mysqld_options_sst = { 'sst' => merge($sst_tls, $sst_tca, $sst_sockopt) } } else { $tls_options = '' + $wsrep_sst_method = 'rsync' + $mysqld_options_sst = {} } - $mysqld_options = { + $mysqld_options_mysqld = { 'mysqld' => { 'skip-name-resolve' => '1', 'binlog_format' => 'ROW', @@ -143,11 +179,13 @@ class tripleo::profile::pacemaker::database::mysql ( 'wsrep_auto_increment_control' => '1', 'wsrep_drupal_282555_workaround' => '0', 'wsrep_causal_reads' => '0', - 'wsrep_sst_method' => 'rsync', + 'wsrep_sst_method' => $wsrep_sst_method, 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", } } + $mysqld_options = merge($mysqld_options_mysqld, $mysqld_options_sst) + # since we are configuring rsync for wsrep_sst_method, we ought to make sure # it's installed. We only includ this at step 2 since puppet-rsync may be # included later and also adds the package resource. diff --git a/manifests/profile/pacemaker/database/mysql_bundle.pp b/manifests/profile/pacemaker/database/mysql_bundle.pp index 613be56..436947d 100644 --- a/manifests/profile/pacemaker/database/mysql_bundle.pp +++ b/manifests/profile/pacemaker/database/mysql_bundle.pp @@ -67,6 +67,20 @@ # one step. # Defaults to hiera('innodb_flush_log_at_trx_commit', '1') # +# [*sst_tls_cipher*] +# (Optional) When enable_internal_tls is true, defines the list of +# ciphers that the socat may use to tunnel SST connections. +# Defaults to '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES' +# +# [*sst_tls_options*] +# (Optional) When enable_internal_tls is true, defines additional +# parameters to be passed to socat for tunneling SST connections. +# Defaults to undef +# +# [*ipv6*] +# (Optional) Whether to deploy MySQL on IPv6 network. +# Defaults to str2bool(hiera('mysql_ipv6', false)) +# # [*pcs_tries*] # (Optional) The number of times pcs commands should be retried. # Defaults to hiera('pcs_tries', 20) @@ -87,6 +101,9 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( $enable_internal_tls = hiera('enable_internal_tls', false), $gmcast_listen_addr = hiera('mysql_bind_host'), $innodb_flush_log_at_trx_commit = hiera('innodb_flush_log_at_trx_commit', '1'), + $sst_tls_cipher = '!SSLv2:kEEH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', + $sst_tls_options = undef, + $ipv6 = str2bool(hiera('mysql_ipv6', false)), $pcs_tries = hiera('pcs_tries', 20), $step = Integer(hiera('step')), ) { @@ -118,17 +135,36 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( if $enable_internal_tls { $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] + $sst_tls = { + 'tcert' => $tls_certfile, + 'tkey' => $tls_keyfile, + } if $ca_file { $tls_ca_options = "socket.ssl_ca=${ca_file}" + $sst_tca = { 'tca' => $ca_file } } else { $tls_ca_options = '' + $sst_tca = {} } $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + $wsrep_sst_method = 'rsync_tunnel' + if $ipv6 { + $sst_ipv6 = 'pf=ip6' + } else { + $sst_ipv6 = undef + } + $all_sst_options = ["cipher=${sst_tls_cipher}", $sst_tls_options, $sst_ipv6] + $sst_sockopt = { + 'sockopt' => join(delete_undef_values($all_sst_options), ',') + } + $mysqld_options_sst = { 'sst' => merge($sst_tls, $sst_tca, $sst_sockopt) } } else { $tls_options = '' + $wsrep_sst_method = 'rsync' + $mysqld_options_sst = {} } - $mysqld_options = { + $mysqld_options_mysqld = { 'mysqld' => { 'pid-file' => '/var/lib/mysql/mariadb.pid', 'skip-name-resolve' => '1', @@ -157,7 +193,7 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( 'wsrep_auto_increment_control' => '1', 'wsrep_drupal_282555_workaround' => '0', 'wsrep_causal_reads' => '0', - 'wsrep_sst_method' => 'rsync', + 'wsrep_sst_method' => $wsrep_sst_method, 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", }, 'mysqld_safe' => { @@ -165,6 +201,8 @@ class tripleo::profile::pacemaker::database::mysql_bundle ( } } + $mysqld_options = merge($mysqld_options_mysqld, $mysqld_options_sst) + # remove_default_accounts parameter will execute some mysql commands # to remove the default accounts created by MySQL package. # We need MySQL running to run the commands successfully, so better to |